Package: atftpd Version: 0.7.dfsg-3
Atftpd crash with signal 11. I can force atftpd to crash during a tftp session by sending it a malformed tftp error packet. Client ask for a file - atftpd sent first block of data - client send a malformed tftp error packet only consisting of the error opcode and the errno - but without the required error string. Hereafter atftpd crash with signal 11.
Atftpd use a customized version of Strncpy that ensures the copied string is null terminated. The implementation did not take into account that the string size could be zero.
I have attached a patch which solve the problem. I have also a small perl script there create the malformed tftp session.
Bug is still present in version 0.7.dfsg-6.I have also report the bug in ubuntu https://bugs.launchpad.net/ubuntu/+source/atftp/+bug/309746
Regards, Jakob Hilmer - [email protected]
--- atftp-0.7.dfsg.orig/tftp_def.c
+++ atftp-0.7.dfsg/tftp_def.c
@@ -140,8 +140,10 @@
*/
inline char *Strncpy(char *to, const char *from, size_t size)
{
- to[size-1] = '\000';
- return strncpy(to, from, size - 1);
+ strncpy(to, from, size);
+ if (size>0)
+ to[size-1] = '\000';
+ return to;
}
tftptest.pl
Description: Perl program
